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Abstract. In this paper we study interpolation in local extensions of a base theory. We 
identify situations in which it is possible to obtain interpolants in a hierarchical manner, 
by using a prover and a procedure for generating interpolants in the base theory as black- 
boxes. We present several examples of theory extensions in which interpolants can be 
computed this way, and discuss applications in verification, knowledge representation, and 
modular reasoning in combinations of local theories. 



Many problems in mathematics and computer science can be reduced to proving satisfiability 
of conjunctions of (ground) literals modulo a background theory. This theory can be a 
standard theory, the extension of a base theory with additional functions, or a combination 
of theories. It is therefore very important to find efficient methods for reasoning in standard 
as well as complex theories. However, it is often equally important to find local causes for 
inconsistency. In distributed databases, for instance, finding local causes of inconsistency 
can help in locating errors. Similarly, in abstraction-based verification, finding the cause of 
inconsistency in a counterexample at the concrete level helps to rule out certain spurious 
counterexamples in the abstraction. 

The problem we address in this paper can be described as follows: Let T be a theory 
and A and B be sets of ground clauses in the signature of T, possibly with additional 
constants. Assume that A A B is inconsistent with respect to T. Can we find a ground 
formula /, containing only constants and function symbols common to A and B, such that 
/ is a consequence of A with respect to T, and B A I is inconsistent modulo T? If so, / 
is a (Craig) interpolant of A and B, and can be regarded as a "local" explanation for the 
inconsistency of A A B. 

In this paper we study possibilities of obtaining ground interpolants in theory exten- 
sions. We identify situations in which it is possible to do this in a hierarchical manner, by 
using a prover and a procedure for generating interpolants in the base theory as "black- 
boxes" . 

1998 ACM Subject Classification: F.4.1, 1.2.3, D.2.4, F.3.1, 1.2.4. 
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We consider a special type of extensions of a base theory - namely local theory ex- 
tensions - which we studied in |15j . We showed that in this case hierarchical reasoning is 
possible, i.e. proof tasks in the extension can be reduced to proof tasks in the base theory. 
Here we study possibilities of hierarchical interpolant generation in local theory extensions. 

The main contributions of the paper are summarized below: 

• First, we identify new examples of local theory extensions. 

• Second, we present a method for generating interpolants in local extensions of a base 
theory. The method is general, in the sense that it can be applied to an extension T\ of 
a theory Tq provided that: 

(i) Tq is convex; 

(ii) 7o is P-interpolating for a specified set P of predicates (cf. the definition in Sec- 
tion I52J); 

(iii) in % every inconsistent conjunction of ground clauses A A B allows a ground inter- 
polant; 

(iv) the extension is defined by clauses of a special form (type (|5.ip in Section I5.2|) . 
The method is hierarchical: the problem of finding interpolants in T\ is reduced to that 
of finding interpolants in the base theory Tq. We can use the properties of To to control 
the form of interpolants in the extension T\. 

• Third, we identify examples of theory extensions with properties (i)-(iv). 

• Fourth, we discuss application domains such as: modular reasoning in combinations of 
local theories (characterization of the type of information which needs to be exchanged), 
reasoning in distributed databases, and verification. 

The existence of ground interpolants has been studied in several recent papers, mainly 
motivated by abstraction-refinement based verification [2 El [9J fT9l [6]. In [8] McMillan 
presents a method for generating ground interpolants from proofs in an extension of linear 
rational arithmetic with uninterpreted function symbols. The use of free function symbols is 
sometimes too coarse (cf. the example in Section l2?2l) . Here, we show that similar results also 
hold for other types of extensions of a base theory, provided that the base theory has some of 
the properties of linear rational arithmetic. Another method for generating interpolants for 
combinations of theories over disjoint signatures from Nelson-Oppen-style unsatisfiability 
proofs was proposed by Yorsh and Musuvathi in [19]. Although we impose similar conditions 
on Tq, our method is orthogonal to theirs, as it can also handle combinations of theories 
over non-disjoint signatures. In [6j a different interpolation property - stronger than the 
property under consideration in this paper - is studied, namely the existence of ground 
interpolants for arbitrary formulae - which is proved to be equivalent to the theory having 
quantifier elimination. This limits the applicability of the results in [6] to situations in which 
the involved theories allow quantifier elimination. If the theory considered has quantifier 
elimination then we can use this for obtaining ground interpolants for arbitrary formulae. 
The goal of our paper is to identify theories - possibly without quantifier elimination - in 
which, nevertheless, ground interpolants for ground formulae exist. 

Structure of the paper: We start by providing motivation for the study in Section [2j In 
Section [3] the basic notions needed in the paper are introduced. Section 0] contains results 
on local theory extensions. In Section [5] local extensions allowing hierarchical interpola- 
tion are identified, and based on this, in Section [6] a procedure for computing interpolants 
hierarchically is given. In Section [7] applications to modular reasoning in combinations of 
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theories, reasoning in complex databases, and verification are presented. In Section [8] we 
draw conclusions, discuss the relationship with existing work, and sketch some plans for 
future work. For the sake of clarity in presentation, all the proofs that are not directly re- 
lated to the main thread of the paper can be found in the appendix. (These results concern 
illustrations of the fact that certain theory extensions are local, or satisfy assumptions that 
guarantee that interpolants can be computed hierarchically.) 

2. Motivation 

In this section we present two fields of applications in which it is important to efficiently 
compute interpolants: knowledge representation and verification. 

2.1. Knowledge representation. Consider a simple (and faulty) terminological data- 
base for chemistry, consisting of two extensions of a common kernel Chem (basic chem- 
istry): AChem (inorganic (anorganic) chemistry) and BioChem (biochemistry). Assume 
that Chem contains a set Co = {process, reaction, substance, organic, inorganic} of concepts 
and a set To of constraints: 

Tq = {organic A inorganic = 0, organic C substance, inorganic C substance} . 

Let AChem be an extension of Chem with concepts Ci = {cat-oxydation, oxydation}, a role 
Ri = {catalyzes}, terminology Ti and constraints T\: 

Ti = {cat-oxydation = substance A 3 catalyzes(oxydation)} 

Ti = {reaction C oxydation, cat-oxydation C inorganic, cat-oxydation ^ 0} . 

Let BioChem be an extension of Chem with the concept C 2 = {enzyme}, the roles R2 = 
{produces, catalyzes}, terminology T2 and constraints T2: 

T2 = {reaction=process A 3 produces(substance), enzyme = organic A 3 catalyzes(reaction)} 

T2 = {enzyme 7^ 0} . 

The combination of Chem, AChem and BioChem is inconsistent (we wrongly added to T\ 
the constraint reaction C oxydation instead of oxydation C reaction). This can be proved 
as follows: By results in p3] (p. 156 and p. 166) the combination of Chem, AChem and 
BioChem is inconsistent if and only if 

r a (Ti a ro a (t 2 a r 2 ) (2.1) 

where T is the extension SLat A U/eR 1 uR 2 Mon(/) °f the theory of semilattices with smallest 
element and monotone function symbols corresponding to 3r for each role r G Ri U R 2 . 
Using, for instance, the hierarchical calculus presented in [15] (see also Section d]), the 
contradiction can be found in polynomial time. In order to find the mistake we look for 
an explanation for the inconsistency in the common language of AChem and BioChem. 
(Common to AChem and BioChem are the concepts substance, organic, inorganic, reaction and 
the role catalyzes.) This can be found by computing an interpolant for the conjunction 
in (|2.ip in the theory of semilattices with monotone operators. In this paper we show how 
such interpolants can be found in an efficient way. The method is illustrated on the example 
above in Section 17.21 
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2.2. Verification. In [8], McMillan proposed a method for abstraction-based verification 
in which interpolation (e.g. for linear arithmetic + free functions) is used for abstraction 
refinement. The idea is the following: Starting from a concrete, precise description of a 
(possibly infinite-state) system one can obtain a finite abstraction, by merging the states 
into equivalence classes. A transition exists between two abstract states if there exists a 
transition in the concrete systems between representatives in the corresponding equivalence 
classes. Literals describing the relationships between the state variables at the concrete level 
are represented - at the abstract level - by predicates on the abstract states (equivalence 
classes of concrete states). Classical methods (e.g. BDD-based methods) can be used for 
checking whether there is a path in the abstract model from an initial state to an unsafe 
state. We distinguish the following cases: 

(1) No unsafe state is reachable from an initial state in the abstract model. Then, due to 
the way transitions are defined in the abstraction, this is the case also at the concrete 
level. Hence, the concrete system is guaranteed to be safe. 

(2) There exists a path in the abstract model from an initial state to an unsafe state. This 
path may or may not have a correspondent at the concrete level. In order to check this, 
we analyse the counterpart of the counterexample in the concrete model. This can be 
reduced to testing the satisfiability of a set of constraints: 

Init(so) A Tr(s , si) A • • • A Tr(s n _i, s n ) A -.Safe(s n ) 

(2.1) If the set of constraints is satisfiable then an unsafe state is reached from the 
initial state also in the concrete system. Thus, the concrete system is not safe. 

(2.2) If the set of constraints is unsatisfiable, then the counterexample obtained due to 
the abstraction was spurious. This means that the abstraction was too coarse. 
In order to refine it we need to take into account new predicates or relationships 
between the existing predicates. Interpolants provide information about which 
new predicates need to be used for refining the abstraction. 

We illustrate these ideas below. Consider a water level controller modeled as follows: 
Changes in the water level by inflow/outflow are represented as functions in, out, depend- 
ing on time t and water level L. Alarm and overflow levels ^ a iarm<-^overfiowi as well as 
upper /lower bounds for mode durations < 5t < At are parameters of the systems. 

• If L > L a | arm then a valve is opened until time g(t), 
time changes to t' := h{t) and the water level to 
L' := in(out(L, g(t) - t),h(t) - t). 

• If L < L a \ arm then the valve is closed; time changes to 
t' := k(t), and the water level to V := in(L, k(t) — t). 

We impose restrictions KL on h, g, k and on in and out: 

Vt (0 < St < g(t) - t < h(t) -t<At) 
W (0 < k(t) - t < At) 

VL,t (L < L a \ arm A < t < At -> in(L,t) < L overf iow) 
VL, t (L < L over f| ow A t > 5t —> out(L, t) < L a | arm ). 

We want to show that if initially L < L a \ arm then the 
water level always remains below L over f| ow . 



t:= h(t) 

L:= in(out(L, g(t)-t), h(t)-t) 




L:= in(L, k(t)-t) 
t:=k(t) 
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We start with an abstraction in which the predicates are: 




\n(out(L',t'{-t'),t^-t') 



and no other relations between these predicates are specified. We can, for instance, use 
finite model checking for the finite abstraction obtained this way. Note for instance that 



is satisfiable, i.e. in the abstract model there exists a path (of length 2) from the initial state 
to an unsafe state. We analyze the corresponding path in the concrete model to see if this 
counterexample to safety is spurious, i.e. we check whether there exist I, V, I" , t, t' , t'(, t'^ £ K 
such that the conjunction: 



G = l<L a]arm A V ss in(Z,t' - 1) A t' fa k{t) A V > L a , arm A 

I" fa in(out(Z',t" - tf),1% - t') A t'{ fa g(t') A 1% fa Zt(t') A -.Z" < L overf | ow 



is true. If h, g, k, in, out are regarded as free function symbols this conjunction is satisfiable, 
so the spuriousness of the counterexample cannot be detected. G can however be proved 
to be unsatisfiable if we take into account the additional conditions K, on the functions 
in, out, g, h and k. Interpolants can be used for determining the cause of inconsistency, 
and can therefore help in refining the abstraction. The hierarchical interpolation method 
we present here allows us to efficiently generate ground interpolants for extensions with 
functions satisfying axioms of the type considered here and also for a whole class of more 
general axioms. An illustration of this method on the formulae in the example presented 
here is given in Section 17.31 

Besides the application to verification by abstraction-refinement, computation of Craig 
interpolants has other potential applications (e.g. to goal-directed overapproximation for 
achieving faster termination, or to automatic invariant generation). 

3. Preliminaries 

In this section we introduce the main notions and definitions concerning theories, models 
and interpolants needed in the paper. 

3.1. Theories and models. Theories can be regarded as sets of formulae or as sets of 
models. In this paper, whenever we speak about a theory T - if not otherwise specified - 
we implicitly refer to the set Mod(T) of all models of T. 

Definition 3.1. Let T be a theory in a given signature II = (£, Pred), where £ is a set of 
function symbols and Pred a set of predicate symbols. Let (ft and ip be formulae over the 
signature II with variables in a set X. The notion of truth of formulae and of entailment is 
the usual one in logic. We say that: 

• (ft is true with respect to T (denoted \=t (ft) if (ft is true in each model M. of T. 

• cj) is satisfiable with respect to T if there exists at least one model A4 of T and an 
assignment (3 : X — > A4 such that (M,j3) (= (j). Otherwise we say that <j) is unsatisfiable. 

• We say that <f) entails ip with respect to T (denoted \=r ip) if for every model A4 of T 
and every valuation /3, if (M,f3) \= (ft then (Ai,f3) \= ift. 



p A pi A P2 A P3 A n A r2 A r3 A q 
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Note that <j) is unsatisfiable with respect to T if and only if <fi \=t^ (-L stands for false). 

3.2. Interpolation. A theory T has interpolation if, for all formulae (j) and ip in the sig- 
nature of T, if 4> \=t tp then there exists a formula I containing only symbols which occur 
in both 4> and ip such that 4> \=t I and / (=7- ip. First order logic has interpolation but - 
for an arbitrary theory T - even if <f> and ip are e.g. conjunctions of ground literals, / may 
still be an arbitrary formula, containing alternations of quantifiers (cf. [6] for an example of 
ground formulae (f> and if) in the language of the theory Th arrays of arrays whose conjunction 
is unsatisfiable, but there is no ground interpolant over the common variables of (j) and ip). 
It is often important to identify situations in which ground clauses have ground interpolants. 

Definition 3.2. We say that a theory T has the ground interpolation property (or, shorter, 
that T has ground interpolation) if for all ground clauses A(c,d) and B(c,e), if A(c, d) A 
B(c,e) \=T-L then there exists a ground formula 1(c), containing only the constants c 
occurring both in A and B, such that A(c, d) \=t 7(c) and B(c,e) A 1(c) (=r-L . 

There exist results which relate ground interpolation to amalgamation or the injection 
transfer property [U [2J [18] and thus allow us to recognize many theories with ground 
interpolation. We present these results in Appendix IA1 

Theorem 3.3. The following theories allow ground interpolation^: 

(1) The theory of pure equality (without function symbols). 

(2) Linear rational and real arithmetic. 

(3) The theory of po sets. 

(4) The theories of (a) Boolean algebras, (b) semilattices, (c) distributive lattices. 
Proof. The proof is given in Appendix [A] □ 

Other examples of theories which allow ground interpolation are the equational classes 
of (abelian) groups and lattices. In many applications one needs to consider extensions or 
combinations of theories, and proving amalgamation properties can be complicated. On the 
other hand, just knowing that ground interpolants exist is usually not sufficient: we would 
like to construct the interpolants fast. 

In the examples considered in Theorem 13 .31 methods for constructing interpolants exist. 
For the theories of pure equality and of posets interpolants can be constructed for instance 
from proofs [5J[T9]. For linear rational or real arithmetic they can either be constructed 
from proofs [8] or by constructing linear programming problems and solving these problems 
using an off-the-shelf sound solver [11] 0. For the theories of Boolean algebras, distributive 
lattices and semilattices they can be reconstructed from resolution proofs associated with 
the translation of the satisfiability problems to propositional logic |13| ; the construction is 
similar to the one described in the proof of Theorem 15.41 in Appendix [Cl 
We would like to use the advantages of modular or hierarchical reasoning for constructing 
interpolants in theory extensions in an efficient way. This is why in this paper we aim at giv- 
ing methods for constructing interpolants in a hierarchical way. Since in [15] we identified a 



4n fact, the theories (1) and (4) allow equational interpolation (cf. Definition ! A. 2l in Appendix[X]) . Similar 
results were also established for (2) in [11] , 

2 Some off-the-shelf linear programming solvers may not be sound, so care is needed when choosing them. 
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class of theory extensions - namely, local theory extensions - in which hierarchical reasoning 
was possible, in what follows we will study interpolation in local theory extensions. 

4. Local Theory Extensions 

Let Tq be a theory with signature rig = (So, Pred). We consider extensions T\ = Tq U K, of 
To with signature II = (S, Pred), where S = So U Si (i.e. the signature is extended by new 
function symbols) and T\ is obtained from To by adding a set K. of (universally quantified) 
clauses. Thus, Mod(Ti) consists of all Il-structures M which are models of K, and whose 
reduct M\u to LTo is a model of Tq. 

Definition 4.1. A partial H-structure is a structure M = (M, {/m }/eXo {PM}pePred), 
where and for every / 6 S with arity n, fu is a partial function from M n to M. 

Any variable assignment (3 : X — > M extends in a natural way to terms, such that 
(3(f(ti, . . . , t n )) = /m(/3(£i), • • • , (3(t n )). Thus, the notion of evaluating a term t with respect 
to a variable assignment (3 : X — > M for its variables in a partial structure M is the same 
as for total algebras, except that this evaluation is undefined if t = f(ti, . . . , t n ) and at least 
one of (3(ti) is undefined, or else (/3(ii), . . . , f3(t n )) is not in the domain of /m- 

Definition 4.2. Let M. be a partial LT-structure, C a clause and /3 : X — > M. Then 
{M.,0) \= w C if and only if either 

(i) for some term i in C, (3(t) is undefined, or else 

(ii) (3(t) is defined for all terms t of C, and there exists a literal L in C such that /3(L) is 
true in AF 

M. weakly satisfies C (notation: M. \= w C) if (A4,/3) \= w C for all assignments (3. We say 
that A4 weakly satisfies a set of clauses K. or M. is a weak partial model of K (notation: 
M \= w K) if M ^ w C for all C G K. 

4.1. Local theory extensions: definitions. Let To be a theory with signature IIo = 
(So, Pred) and let K. be a set of (universally quantified) clauses in the signature II = 
(S, Pred), where S = SoUSi. In what follows, when referring to sets G of ground clauses 
we assume they are in the signature IF = (SUS C , Pred) where S c is a set of new constants. 
For the sake of simplicity, we will use the same notation for a structure and for its universe. 

A (total) model of T\ = To U/C is a II-structure A s.t. A \= K, and -A|n i s a model of Tq. 
Let PMod w (Si, T{) be the class of all weak partial models P of /C, in which the Si-functions 
are partial and such that P|n is a total model of %. 

An extension Tq C To U /C is local if, in order to prove unsatisfiability of a set G of 
clauses with respect to Tq U/C, it is sufficient to use only those instances fC[G] of K, in which 
the terms starting with extension functions are in the set st(G, /C) of ground terms which 
already occur in G or /C. 

Definition 4.3. We consider the following properties of an extension T"i=ToU/C of a theory 
Tq with additional function symbols satisfying a set /C of clauses. 
(Loc) For every set G of ground clauses, G \=t x ^- if and only if there is no partial 

IF-structure P such that P|n is a total model of To, all terms in st(/C, G) are 

defined in P, and P weakly satisfies JC[G] A G. 
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A weaker notion (Loc ) is denned by requiring that the locality condition only holds for 
finite sets G of ground clauses. 
(Loc f ) For every finite set G of ground clauses, G \=t\ -L if and only if there is no partial 

II c -structure P such that P|n is a total model of Tq, all terms in st(/C, G) are 

defined in P, and P weakly satisfies 1C[G] A G. 

Since (Loc f ) is the property we are interested in, we will only refer to this form of locality in 
what follows. We will say that the extension Tq C T\ is local if it satisfies condition (Loc ). 

4.2. Embeddability and locality. In |X5|, PTT] we showed that embeddability of certain 
weak partial models into total models implies locality of an extension. Consider condition: 

(EmbJ^) Every A £ PMod w (Si, T\) in which all extension functions have a 
finite definition domain weakly embeds into a total model of T\. 

Definition 4.4. A non-ground clause is Yi\-flat if function symbols (including constants) do 
not occur as arguments of functions in Si. A Si-flat non-ground clause is called Y>\-linear if 
whenever a variable occurs in two terms in the clause which start with function symbols in 
Si, the two terms are identical, and if no term which starts with a function in Si contains 
two occurrences of the same variable. 

Theorem 4.5 ([151IT7]). Let fC be a set of clauses in which all terms starting with a function 
symbol in Si are flat and linear. If the extension Tq C T\ satisfies (Emb^) then it satisfies 
(Loc f ). 

4.3. Examples. Using a variant of Theorem 14.51 in [15] we gave several examples of local 
theory extensions: any extension of a theory with free functions; extensions with selector 
functions for a constructor which is injective in the base theory; extensions of R with a 
Lipschitz function in a point xq; extensions of partially ordered theories - in a class Ord 
consisting of the theories of posets, (dense) totally-ordered sets, semilattices, (distributive) 
lattices, Boolean algebras, or R — with a monotone function /, i.e. satisfying: 

n 

(Mon(/)) /\xi <yi^ f(xi, ...,x n )< f(yi,.. . ,y n ). 

i=l 

Generalized monotonicity conditions - combinations of monotonicity in some arguments 
and antitonicity in other arguments - were studied in [17]. Below, we give some additional 
examples with particular relevance in verification. 

Theorem 4.6. We consider the following base theories Tq: (1) V (posets), (2) TO (totally- 
ordered sets), (3) SLat (semilattices), (4) DLat (distributive lattices), (5) Bool (Boolean 
algebras), (6) the theory R of reals resp. LI(R) (linear arithmetic over HI), or the theory Q 
of rationals resp. LI(Q) (linear arithmetic overQ), or (a subtheory of) the theory of integers 
(e.g. Presburger arithmetic). The following theory extensions are local: 

(a) Extensions of any theory Tq for which < is reflexive with functions satisfying bounded- 
ness (Bound*(/)) or guarded boundedness (GBound*(/)) conditions 
(Bound*(/)) Vsci, . . . , x n (f(x 1 , ...,x n )< t(xi, x n )) 
(GBound*(/)) Vxi, . . . , x n ((f>(xi, . . . , x n ) -> f(xt, ...,x n )< t(x 1 , . . . , x n )), 
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where t(x±, . . . , x n ) is a term in the base signature TIq and (j>(xi, . . . , x n ) a conjunction 
of literals in the signature TIq, whose variables are in {x±, . . . ,x n }. 

(b) Extensions of any theory Tq in (l)-(6) with Mon(/) A Bound*(/) ; if t(x±, . . . ,x n ) is a 
term in the base signature YLq in the variables x±, . . . ,x n such that for every model of 
Tq the associated function is monotone in the variables x±, . . . ,x n . 

(c) Extensions of any theory in (l)-(6) with functions satisfying Leq(/,g) A Mon(/). 

(Leq(/,5)) Vxi, . . . ,x n (A?=i »i < yi -> f(x 1 ,...,x n ) < g(y u . . . ,y n )) 

(d) Extensions of any totally- ordered theory above (i.e. (2) and (6)) with functions satisfying 
SGc(/, gi, . . .,g n ) A Mon(/,5i, . . .,g n ). 

(SGc(/,5i, . . .,g„)) Vxi, . . .,x n ,x(/\i =1 Xi < gi{x) -> f(xi, ...,x n )<x) 

(e) Extensions of any theory in (l)-(3) with functions satisfying SGc(/, 51) A Mon(/, g\). 

All the extensions above satisfy condition Loc f . 

Proof. The proof is given in Appendix [Bj □ 

4.4. Hierarchic reasoning in local theory extensions. Let Tq C T\=Tq U K be a local 
theory extension. To check the satisfiability of a set G of ground clauses with respect to 
T\ we can use the following hierarchical procedure to reduce the problem to a satisfiability 
problem in the base theory (for details cf. [15J): 

Step 1: Use locality. By the locality condition, we know that G is unsatisfiable with 
respect to T\ if and only if tC[G] AG has no weak partial model in which all the subterms 
of 1C[G] AG are defined, and whose restriction to Ilo is a total model of Tq. 

Step 2: Flattening and purification. As in K[G\ and G the functions in Si have as ar- 
guments only ground terms, JC[G] AG can be purified and flattened by introducing new 
constants for the arguments of the extension functions as well as for the (sub)terms 
t = f(gi,...,g n ) starting with extension functions / G Si, together with new corre- 
sponding definitions q t. The set of clauses thus obtained has the form /Co A C7o A D, 
where D is a set of ground unit clauses of the form /(ci, . . . , c n ) c, where / € Si and 
ci, . . . , c n , c are constants, and /Co, Go are clauses without function symbols in Si. 

Step 3: Reduction to testing satisfiability in Tq. We reduce the problem of testing satisfia- 
bility of G with respect to T% to a satisfiability test in Tq as shown in Theorem 14.71 

Theorem 4.7 ([IS]). Assume that TqUIC is a local extension ofTo with a set /C of clauses. 
With the notation above, the following are equivalent: 

(1) Tq A K, AG has a model. 

(2) Tq A fC[G] A G has a weak partial model where all terms in st(/C, G) are defined. 

(3) Tq A /Co A Go A D has a weak partial model with all terms in st(/C, G) defined. 

(4) Tq A /Co A Go A Con[D]o has a (total) TiQ-model, where 

n 

Con[D] = f\{(\ Ci~ di -> c « d\ f(a, . . . ,c n ) w c,f(dx,.. .,d n )^deD} . 

i=l 

is the set of instances of the congruence axioms for the functions in Si corresponding 
to the extension terms in D. 
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Example 4.8. Let T\ = SLat U SGc(/, g) U Mon(/, g) be the extension of the theory of 
semilattices with two monotone functions /, g satisfying the semi-Galois condition SGc(/, g). 
Consider the following ground formulae A, B in the signature of T\: 

A: d< g{a) A a < c B : b<d A f(b) % c . 

where c and d are shared constants. By Theorem 14.6( e). T\ is a local extension of the theory 
of semilattices. To prove that A A B (=3j-L we proceed as follows: 

Step 1: Use locality. By the locality condition, A A B is unsatisfiable with respect to 
SLat A SGc(/, g) A Mon(/, g) iff SLat A SGc(/, g)[A A B] A Mon(/, g)[A A B] A A A B has 
no weak partial model in which all terms in A and B are defined. The extension terms 
occurring va. A A B are f(b) and g(a), hence: 

Mon(f,g)[AAB] = {a < a - g(a) < g(a), b < b f(b) < f(b)} 

SGc(f,g)[AAB] = {b<g(a)^f(b)<a} 

Step 2: Flattening and purification. We purify and flatten the formula SGc(/, g) AMon(/, g) 
by replacing the ground terms starting with / and g with new constants. The clauses are 
separated into a part containing definitions for terms starting with extension functions, 
Da A Db, and a conjunction of formulae in the base signature, Aq A Bq A SGcq A Mono- 

Step 3: Reduction to testing satisfiability in Tq. As the extension SLat C T\ is local, by 
Theorem 14.71 we know that 

AAB^ if and only if A) A #0 A SGc A Mon A Con 

is unsatisfiable with respect to SLat , 

where Cono = Con [A A B]q consists of the flattened form of those instances of the congru- 
ence axioms containing only /- and g-terms which occur in Da or Db, and SGco A Mono 
consists of those instances of axioms in SGc(f,g) A Mon(f,g) containing only /- and 
<7-terms which occur in Da or Db- 



Extension 

D A AD B 


A 


Base 

A Bq A SGc A Mon 


A Cono 








at « g(a) 


A Q 


= d<a\Aa<c 


SGco = b < a\ — 


+ b\ < a 






h PS f(b) 


Bo 


= b < d Abi ^ c 


Con^ A Mon^ = 


a <l a — > 


a\ < a\, < G {p: 


,<} 








Con^ A Mon# = 


b<b^ 


h <h, < G 


,<} 



It is easy to see that Aq A Bq A SGcq A Mono A Cono is unsatisfiable with respect to %: 
Ao A Bq entails b < a%, together with SGco this yields 6i < a, which together with a < c 
and &i ^ c leads to a contradiction. 



5. Hierarchical Interpolant Computation 

Let 7oC7i = 7oU/Cbea theory extension by means of a set of clauses /C. Assume that 
A A B |=Ti-L, where A and B are two sets of ground clauses. Our goal is to find a ground 
interpolant, that is a ground formula / containing only constants and extension functions 
which are common to A and B such that 



A \= Tl I and I A B \= Tl _L. 
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Flattening and purification do not influence the existence of ground interpolants: 

Lemma 5.1. Let A and B be two sets of ground clauses in the signature IF. Let Aq A Da 
and BqADb be obtained from A resp. B by purification and flattening. If I is an interpolant 
of {Aq A Da) A (Bo A Db) then the formula I, obtained from I by replacing, recursively, all 
newly introduced constants with the terms in the original signature which they represent, is 
an interpolant for A A B . 

Proof. If I is an interpolant of (Aq A Da) A (Bq A Db), then Aq A D A |=7i I and B /\D B A 
/ ^Ti-L- Let / be obtained from / by replacing, recursively, all newly introduced constants 
with the terms in the original signature which they represent. Then: 

(i) A A -i I and Aq A Da A -J are equisatisfiable with respect to T\, so A \=j\ I- 

(ii) B A I and Bq A Db A / are equisatisfiable with respect to 71, so B A I |=Ti-L. D 

Therefore we can restrict without loss of generality to finding interpolants for the purified 
and flattened conjunction of formulae (Aq A Da) A (Bq A Db). 

We focus on interpolation in local theory extensions. Let Tq C 7\ = Tq U /C be a local 
theory extension. From Theorem l4.7l we know that in such extensions hierarchical reasoning 
is possible: if A and B are sets of ground clauses in a signature IT, and Aq A Da (resp. 
Bq A Db) are obtained from A (resp. B) by purification and flattening then: 

(Aq A Da) A(B ADb) K?iL if and only if /C A Aq A Bq A Con[D A A D B ]o Kfr-L, 

where JCq is obtained from K\Da A Db] by replacing the Si-terms with the corresponding 
constants contained in the definitions Da and Db and 

n 

Con[D A A D B ]o = f\{/\ci ~ c^ d \ f(c x , . . . ,c n ) ps c,f(d 1 ,. . . , d n ) ~dG ^ U Kg}. 

i=i 

In general we cannot use Theorem 14.71 for generating a ground interpolant because: 

(i) K\Da A Db] (hence also /Co) may contain free variables. 

(ii) If some clause in K, contains two or more different extension functions, it is unlikely 
that these extension functions can be separated in the interpolants. 

(hi) The clauses in K\Da ADb] and the instances of congruence axioms (and therefore the 
clauses in /Co A ConfD^ A Db]o) may contain combinations of constants and extension 
functions from A and B. 
To avoid (i), we will need to take into account only extensions with sets /C of clauses in 
which all variables occur below some extension term. To solve (ii), we define a relation ~ 
between extension functions, where / ~ g if / and g occur in the same clause in /C. This 
defines an equivalence relation ~ on Ej. We henceforth consider that a function / G Si is 
common to A and B if there exist g, h G Si such that / ~ g, f ~ h, g occurs in A and h 
occurs in B. 

Example 5.2. Consider the reduction to the base theory in Example 14.81 We explain the 

problems mentioned above. 
Ad (ii) As SGc(f,g) contains occurrences of both / and g, it is not likely to find an 
interpolant with no occurrence of / and g, even if g only occurs in A and / only 
occurs in B. We therefore assume that / ~ g, i.e. that both / and g are shared. 

Ad (hi) The clause b < a\ — > b\ < a of SGco is mixed, i.e. contains combinations of 
constants from A and B. 
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The idea for solving problem (iii) is presented below. 

5.1. Main Idea. The idea of our approach is to separate mixed instances of axioms in 
/Co, or of congruence axioms in Qon[DA A Db]o, into an ^4-part and a S-part. This is, 
if A A B |=Tl-L we find a set T of SoUSi-terms containing only constants and extension 
functions common to A and B, such that K,[A A B] can be separated into a part IC[A, T] 
consisting of instances with extension terms occurring in A and T, and a part )C[B,T] 
containing only instances with extension terms in B and T, such that: 

K[A, T] A A A Con[L> A A D T ] A K[B, T] A Bq A Con[£>u A £> T ] 

has no weak partial model where all ground terms in /C, Da, Db, T are defined. 

Example 5.3. Consider the conjunction Aq ADa ABq ADb A ConfB 1 ^ AI>b]o A Mono ASGco 
in Example 14.81 The A and -B-part share the constants c and d, and no function symbols. 
However, as / and g occur together in SGc, / ~ g, so they are considered to be all shared. 
(Thus, the interpolant is allowed to contain both / and g.) We obtain a separation for the 
clause b < a\ — > b\ < a of SGco as follows: 

(i) We note that A A Bq \=b<a x . 

(ii) We can find an SLat-term t containing only shared constants of Aq and Bq such that 
Aq A Bq \= b < t A t < a\. (Indeed, such a term is t = d.) 

(iii) We show that, instead of the axiom b < g(a) — > /(6) < a, whose flattened form is in 
SGco, we can use, without loss of unsatisfiability: 

(1) an instance of the monotonicity axiom for /: b < d — > f(b) < /(d), 

(2) another instance of SGc, namely: d < g(a) — > /(d) < a. 

For this, we introduce a new constant cj(^) for f(d) (its definition, c^(^) ~ /(d), is 
stored in a set Z>r), an d the corresponding instances H sep = AH^ ep of the congru- 
ence, monotonicity and SGc(/, <7)-axioms, which are now separated into an A-part 
{Tt^ ep : d < ai — > Cf[d) — a ) an( i a -B-part (W^ p : 6 < d — > b\ < Cf^). We thus obtain 
a separated conjunction ^4o A -Bo (where ^4o = A Ao and -Bo = T~i^ ep A Bq), which 
can be proved to be unsatisfiable in Tq = SLat. 

(iv) To compute an interpolant in SLat for Aq A Bq note that Aq is logically equivalent 
to the conjunction of unit literals d < a\ A a < c A Cf(c[\ < a and Bq is logically 
equivalent to b < d A b±^c A b\ < Cfu\- An interpolant is Iq = Cfu\ < c. 

(v) By replacing the new constants with the terms they denote we obtain the interpolant 
I = /(d) < c for A A B. 

Note that in order to be able to perform in general the succession of steps in Example 15.31 
it is necessary that /Co is ground and the theory extension and the base theory have certain 
properties: 

(i) it always is possible to find an axiom instance such that all its premises are entailed 
by Aq A Bq; 

(ii) we can find separating terms (in the joint signature) for the entailed literals; 

(iii) the axioms come in pairs with corresponding monotonicity axioms which are then used 
to separate mixed rules; 

(iv) we can compute ground interpolants in Tq. 
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Theory extensions satisfying these conditions appear in a natural way in a wide variety of 
applications ranging from knowledge representation to verification. In what follows we will 
give several examples of theories with properties (i)-(iv). 

5.2. Examples of theory extensions with hierarchic interpolation. We identify a 
class of theory extensions for which interpolants can be computed hierarchically (and effi- 
ciently) using a procedure for generating interpolants in the base theory Tq. This allows 
us to exploit specific properties of Tq for obtaining simple interpolants in T\. We make the 
following assumptions about Tq: 

Assumption 1: Tq is convex with respect to the set Pred of all predicates (including 
equality «), i.e., for all conjunctions F of ground atoms, relations Ri, . . . , R m £ Pred 
and ground tuples of corresponding arity t\, . . . ,t n , if F \=r VS=i Rifti) then there exists 
j € {1, . . . , m} such that F \=t Rj(tj). 

Assumption 2: Tq is P -interpolating with respect to P C Pred, i.e. for all conjunctions A 
and B of ground literals, all binary predicates R € P and all constants a and b such that 
a occurs in A and b occurs in B (or vice versa), if A A B \=% aRb then there exists a 
term t containing only constants common to A and B with A A B \=r aRt A tRb. (If we 
can always find a term t containing only constants common to A and B with A \=f aRt 
and B \=t tRb we say that Tq is strongly P -interpolating.) 

Assumption 3: Tq has ground interpolation. 

Some examples of theories satisfying these properties are given below. 

Theorem 5.4. The following theories have ground interpolation and are convex and P- 
interpolating with respect to the indicated set P of predicate symbols: 

(1) The theory of EQ of pure equality without function symbols (for P = {~}^. 

(2) The theory PoSet of po sets (for P = {w, <}). 

(3) Linear rational arithmetic LI(Q) and linear real arithmetic LI(R) (convex with respect 
to P = {~}, strongly P -interpolating for P = {<}). 

(4) The theories Bool of Boolean algebras, SLat of semilattices and DLat of distributive 
lattices (strongly P -interpolating for P = {~, <})■ 

Proof. The proof is given in Appendix O □ 

We make the following assumption about the extension T± of Tq. 

Assumption 4: T\ = Tq U /C is a local extension of Tq with the property that in all clauses 
in fC each variable occurs also below some extension function. 

For the sake of simplicity we only consider sets A, B of unit clauses, i.e. conjunctions of 
ground literals. This is not a restriction, since if we can obtain interpolants for conjunctions 
of ground literals then we also can construct interpolants for conjunctions of arbitrary 
clauses by using standard methods^ discussed e.g. in [8] or [19]. 

By Lemma 15. 11 we can restrict without loss of generality to finding an interpolant for 
the purified and flattened conjunction of unit clauses Aq A Bq A Da A Db- By Theorem 14.71 

A A D a A Bq A D b Kri-L if and only if JCq A Aq A Bq A Con [Da A D B ]o \=r -L, 



E.g. in a DPLL-style procedure partial interpolants are generated for the unsatisfiable branches and 
then recombined using ideas of Pudlak. 
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where /Co is obtained from IC[D A A Db] by replacing the Ei-terms with the corresponding 

constants contained in the definitions D A A Db and 

n 

Con[D A A D B ]o = /\{/\ c i ~ di^ c^d\ /(ci, ... ,Cn) « c,f(di,. . . , d n ) f^UDs}. 

i=l 

In general, Con[D/i A Ab]o = CoriQ 4 A CoriQ 3 A Con m i x and ICq = ICq A ICq A lC m \ x , where 
Con^/Cp 4 only contain extension functions and constants which occur in A, CoriQ 3 ,ICq only 
contain extension functions and constants which occur in B, and Con m j x , /C m j x contain mixed 
clauses with constants occurring in both A and B. Our goal is to separate Con m j x and IC m \ x 
into an A-local and a _6-local part. We show that, under Assumptions 1 and 2, Con m j x 
can always be separated, and IC m \ x can be separated if /C contains the following type of 
combinations of clauses: 

( x\ R\ si A ■ ■ ■ A x n R n s n -> f(xi, . . . ,x n ) Rg(yi, . . . ,y n ) / g 
\xiRiyiA---Ax n R n y n ->f(xi,...,x n )Rf(y 1 ,...,y n ) 

where n > 1, variables, . . . , R n , R are binary relations with 

R\, . . . , i? n G P and -R transitive, and each Sj is either a variable among the 
arguments of g, or a term of the form fi{z\, . . . , where /j G Si and all 
the arguments of fa are variables occurring among the arguments of g. 

We therefore make the following additional assumption about the theory extension T\. 

Assumption 5: T\ = Tq U /C is an extension of To with a set of clauses /C which only 
contains combinations of clauses of type (15. ip . 

Example 5.5. The following local extensions satisfy Assumptions 4 and 5: 

(a) Any extension with free functions (/C = 0). 

(b) Extensions of any theory in Ord (cf. Section [4.3p with monotone functions. 

(c) Extensions of any totally-ordered theory in Ord with functions satisfying 

SGc(f,gi,...,g n ) A Mon(/, ff1 , . . . ,g n ). 

(d) Extensions of theories in Ord with functions satisfying 

SGc(/, 5 i) AMon(/, 5 i). 

(e) Extensions of theories in Ord with functions satisfying Leq(/, g) A Mon(/). 

Remark 5.6. If the clauses in /C are of type (|5.ip . then /Co = ICq A ICq A IC m \ x , where 

= {(A"=i c i R idi) -> cRd | (A"=i x i R i s i{v)) ~> fi x i, ■ ■ -,x n )Rg{y) G K, 

di « Sj(e) G D A ,d^ g(e) G D A ,c^ /(ci, . . . ,c n ) G -Da}U 

{(Ar=l c i- R i d i) ciM I (AiLl x i R iVi) -> /0=i> • • • ,x n )Rf(yi, . . . , y n ) G /C, 

d « /(c/i, . . . ,d n ) G D A ,c^ /(ci, . . . ,c n ) G -Da}, 



More general types of clauses, in which instead of variables we can consider arbitrary base terms, can 
be handled if Tq has a P-interpolation property for terms instead of constants. Due to space limitations, 
such extensions are not discussed here. 
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similarly for K, B , and 

fc m \x = {A7=i CiRidi -> cRd | ALi R i s i(v) -> /( x i> • • • > x n )Rg{y) G /C, dj « s;(e) G -Da, 

i*j(e) G D A \D B , C pa f(ci,...,Cn) G Z? B \D A }U 

{AiLi Cj-Rjdi -> ci?d | A?=i x i R iVi -> • • -,x n )Rf{yi, ■■■ ,Vn) g /C, 

d« f(d l ,...,d n ) G D A \D B , c pa /(ci, . . . , c) G Z? B \-D A }U 

{A"=l Cj^i^i cM I A™=i x * ^» • • • > x ") ##(y) G dj « Si(e) G Ds, 

d ~ 5(e) G D B \D A , c pa f(a, . . . , c n ) G Z) A \Z) B }U 

{A™=i Cj-Ridj -> ci?d | Ar=i x iRiVi /(^l: ■ ■ ■,x n )Rf(y 1 , . . . ,y n ) G /C, 

d « /(di, . . . , d n ) G D B \D A , c pa f(a, . . . ,c n ) G D^\Z) B }. 

All clauses in /Co are of the form C = /\™ =1 CiRidi^>cRd, where Ri E P, R is transitive, 
and Q, dj, c, d are constants. Moreover, the cardinality of /Co U ConfD^ A D b ]q is quadratic 
in the size of A A B for a fixed /C. 

Proposition 5.7. Assume that Tq satisfies Assumptions 1 and 2. Let TL be a set of Horn 
clauses (AILi c iRidi) — * cRd in the signature Hq (with R transitive and Ri G P) which are 
instances of flattened and purified clauses of type 15. 1\) and of congruence axioms. Let Aq 
and Bq be conjunctions of ground literals in the signature Hq such that Aq A Bq A TL \=t q -L • 
Then TL can be separated into an A and a B part by replacing the set TL m \ x of mixed clauses 
T~(-m\x = {AfLi c iRidi — > cRd € Ti \ Ci,c constants in A,di,d constants in B}U 
{AILi c iRidi — * cRd G TL | Cj, c constants in B, di,d constants in A} 

with a separated set of formulae Tt sep ■ The following hold: 

(1) There exists a set T of T,q U S c - terms containing only constants common to Aq and Bq 
such that Aq A Bq A (TL\TL m \ x ) A TL sep \=t A-, where 

?4ep = {(A£=i CiRiU ~* cRc f(h, ...,*„)) A (A"=i -» c/( tli ..., tn )-Rd) | 

AJLi Q-Rjdi -> ci?d G H m \ x ,di pa Sj(ei, . . . ,e n ),d ps g(ei, . . . ,e n ) G D B , 
c pa /(ci, . . . , c n ) G D A or vice versa } = TL^ p A TL^ ep 

and cj( ilv .. jin ) are new constants in S c (considered to be common) introduced for the 
corresponding terms f(t\, . . . , t n ). 

(2) Aq A Bq A (TL\TLm\ x ) A Tlsep is logically equivalent with respect to Tq with the following 
separated conjunction of ground literals: 

Aq A Bq = A A B A [\{cRd | T->cRd G TL\TL m \ x } 

A l\{cRc m A c m Rd | (r -» cRc f{I) ) A {T -» c /(i) i?d) G H sep }. 

(3) // To is strongly P -interpolating then the A-part (B-part) of Aq A Bq A (TL\TL m \ x ) A 
TCsep Nto-L ^ logically equivalent with Aq (resp. Bq) above. 

Proof. We prove (1) and (2) simultaneously by induction on the number of clauses in TL. 
If TL = then the initial problem is already separated into an A and a B part so we are 
done: we can choose T = 0. Assume that TL contains at least one clause, and that for every 
TL' with fewer clauses and every conjunctions of literals A' , B' with A' Q A B' Q A TL' \=<r -L, (1) 
and (2) hold. 

Let T> be the set of all atoms c^Ridi occurring in premises of clauses in TL. As every model 
of Aq A Bq A A( c _Rd)eD ~^(°Rd) is also a model for TL A Aq A Bq \=t _L and TL A Aq A Bq \=% -L, 
Aq ABq A A( c i?d)ei5 ^(°Rd) Hzo-L- Let (Aq ABq) + be the conjunction of all atoms in AqABq, 
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and (Aq A Bq) be the set of all negative literals in Aq A Bq. Then 
(A AB ) + \= To \/ (cRd)V \/ L. 

(cRd)eV ^Le(A Q AB ( ))- 

By Assumption 1, Tq is convex with respect to Pred. Moreover, (^4o A-Bo) + is a conjunction 
of positive literals. Therefore, either 

(i) (Aq A Bq) + |= L for some L € (Ao A Bq)~ (then Aq A Bq is unsatisfiable and hence 
entails any atom CiRidi), or 

(ii) there exists (c\R\di) 6 V such that (^o Aflo) + \=r C\R\d\. 

Case 1: Aq A Bq is unsatisfiable. In this case (1) and (2) hold for T = 0. 
Case 2: ^4o ABq is satisfiable. Then ^4oA-Bo is logically equivalent in Tq with AoABoAciRidi. 
If it is not the case that by adding CiRidi all premises of some rule in 7i become true we repeat 
the procedure for T>\ = V\(ciRidi): Again in this case Aq A Bq A A( c ftf)ex>i ~'( c ^) Nto-L 
(if it has a model then Aq A Bo A H has one), and as before, using convexity we infer that 
either Aq A Bq is unsatisfiable (which cannot be the case) or there exists C2i?2^2 £ T>\ with 
Aq A Bq \=% C2i?2^2- We can repeat the process until all the premises of some clause in 7i 
are proved to be entailed by Aq A Bq. Let C = A?=i c i^idi — ► cRd be such a clause. 
Case 2a. Assume that C contains only constants occurring in A or only constants occurring 
in B. Then Aq A Bq A TL is equivalent with respect to Tq with Aq ABqA(TL\C) Ac ~ d. By the 
induction hypothesis for A' Q A B' Q = Aq A Bq A c ~ d and TL' = 7i\{C}, we know that there 
exists T' such that A' A B' Q A (H'\H' m \ x ) A H' sep \=±, and (2) holds too. Then, for T = T', 
A' Q A B' Q A (H'\H' m - lx ) A H'sep is logically equivalent to Aq A Bq A (7i\H mix ) A H 5ep , so (1) 
holds. In order to prove (2), note that, by definition, 7i.' mix = TC m \ x and TC' = 7i sep . By the 
induction hypothesis, A' A B' A (7i'\H' m \ x ) U 7Y' se p is logically equivalent to a corresponding 
conjunction A' A B' containing as conjuncts all literals in A' and B' Q and all conclusions 
of rules in H'\H' m \x and H'sep- On the other hand, A' A B' is logically equivalent to 
Aq A Bq A (cRd), where (cRd) is the conclusion of the rule C € 7i\H m \ x . This proves (2). 
Case 2b. Assume now that C is mixed, for instance that ci, . . . ,c n ,c are constants in A and 
di, . . . , d n , d are constants in B. Assume that C is obtained from an instance of a clause 
of the form AILi x iRi s i(y) - * f(xi,---,x n )Rg(y). (The case when C corresponds to an 
instance of a monotonicity axiom is similar.) This means that there exist c ~ f(c±, . . . , c n ) € 
Da and di ps Si(e),d g(e) € Db- C was chosen such that for each premise CiRidi of C, 
AqABq \=t CiRidi, and - by Assumption 2 - Tq is P-interpolating. Thus, there exist terms 
ti, . . . , t n containing only constants common to and Bq such that for all i € {1, . . . , n} 

Aq A Bq \= To CiRiU A URidi. (5.2) 
Let Cf( tlj ___ jtn ) be a new constant, denoting the term f(t±, . . . ,t n ), and let 

n n 

Ca = f\ CiRiti^cRc f{ t ly ^ tn) and C B = /\ tiRidi^c f{tl ^ tn) Rd. 

i=l i=l 

n 

Thus, Ca corresponds to the monotonicity axiom f\ CiRiti^f(c\, . . . , c n )Rf(t\, . . . , t n ), 

n 

whereas Cb corresponds to the rule f\tiRiSi(e)—>f(t\, . . . ,t n )Rg(e). As R is transitive, 

i=i 
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by (|5.2h the following holds: 

n n 

A AB AC a /\Cb Ht AoAB A(/\c i Rit i AC A )A(/\t i R i d i ACB) 

i=l i=l 

Hr A A B A cRc f{tl ^ tn) A c f{ht 4 4 4jtn) Rd 

\=T Q AqABqA cRd 
(where \=\r stands for logical equivalence with respect to Tq). 
Hence, A A B A C A A C B A (TL\C) \= To A A B A cRd A (H\C). On the other hand, as 
Aq A Bo \=r Q ALi CiRi<k > A Bq A H is logically equivalent with AqABqA cRd A (H\C) , so 
AqABqA Ca A Cb A (H\C) |=75 -L. By the induction hypothesis for A A B A cRcf(t lt „. t tn) A 
c f(ti,...,t„)Rd and Ti' = H\C we know that there exists a set T' of terms such that Aq A Bq A 
cRc'f(tu-,tn) A c f(h,...,t n )Rd A {H'\H' m \ x ) A H' sep \=±, and also (2) holds. Then (1) holds for 
T = T'u{ti, . . . , t n }. (2) can be proved similarly using the induction hypothesis. 
(3) follows from the same induction schema taking into account the fact that, by strong 
interpolation, always if A Bq \= CiRidi there exists ti (containing only constants common 
to Aq and Bq) with Aq \= CiRiU and Bq \= URidi^ Then Aq is logically equivalent (in Tq) 
to Aq A AILi Ci-Ri^i, hence Aq A Ca is logically equivalent to Aq A cRcfr tl! ...,*„)• (Similarly, 
Bq is logically equivalent to Bq A f\2=l tiRidi, so Bq A Cb is logically equivalent to Bq A 
c f(ti,...,t n )Rd.) By using the induction hypothesis, (3) follows easily. □ 



An immediate consequence of Proposition 15.71 is Proposition [57 

Proposition 5.8. Assume Tq satisfies Assumptions 1 and 2, the extension Tq C Tq U /C 
satisfies Assumptions 4 and 5, and /Co A Aq A Bq A ConfD^ A Db]o \=t -L. Then there exists 
a set T of T,q U Ti c -terms containing only constants common to Aq and Bq such that (if 
Conf? = Con{? A A Con DB =Con 0s ep and Kg = A 1C^ b =]Cq s ^): 

K, A A ICq A ICq A A A So A Cono 4 A Cong A Cong ^ To _L. (5.3) 

As before, T, c contains the new constants Cffa tn)> considered to be common to Aq and Bq, 
introduced for terms f(t\, . . . , t n ), with t\, . . . ,t n G T. 



Proof. If K only contains combinations of clauses of type (|5.ip then all clauses in /Co A 
Cov\Da A Db]q satisfy the restrictions on Ti. in Proposition 15.71 Thus Proposition 15. 71 holds 
for 7i = ICq A ConfD^ A D b ]q- Therefore there exists a set T of So U £ c -terms containing 
only constants common to Aq and Bq such that Aq A Bq A (TC\H m \ x ) A 7i se p- The statement 
of the theorem uses the description of Ti\H m \ x , denoted before by ICq A JCg , as well as of 
H 5ep as K$ A AKg B ACong A A Con£ s . □ 

Corollary 5.9. Assume that the extension Tq C TqDIC satisfies Assumptions 1-5, and that 
ICq A Aq A Bq A ConfD^ A Db\q\=i q ^- With the notation in Proposition 15.^1 the following 
holds: 

(1) There exists a HQ-formula Iq containing only constants common to Aq, Bq with ICq A 
Kg A A A A Cono 4 A Cong A \= To I Q and Kg A Kg B A B A Cong A Cong B A Iq^ % ±. 

(2) There exists a ground H c '-formula I containing only constants and function symbols 
which occur both in A and B such that A \=ji I and B A I \=ji _L . 



^In this case we may need to separate even pure A and B clauses in Ti as in Case 2b, in order to 
guarantee the separate entailment from Ao and Bq. 
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Proof. 

(1) is a direct consequence of Proposition 15.81 since 1C A , JC AD , K, b ,K, bd are ground and we 
assumed that To has ground interpolation. 

(2) Let I be obtained from Iq by recursively replacing each constant c± introduced in the 
separation process with the term t. We show that I is an interpolant of (Aq A Da) A 
(B A Db) with respect to 71, i.e. that (i) A A Da \=Tj I and (ii) I A B A D B |=Ti-L< 

(i) Let (M, be a 71-model that satisfies Aq A Da- Being a model of 71, (Af, v) 
satisfies all instances of the axioms in /C and of the congruence axioms in K, A A 
K.q A ACoriQ 4 ACon^ (and similarly for the B part). Thus, the restriction (Mm ,v) 
of (M,v) to the base theory satisfies K, A AlC BA Ayl ACoriQ ACon BA , hence also 7 - 
We thus proved that ^4o A Da \=Ti Iq A Da- It is easy to see that Iq A Z?a \=r ± I- 

(ii) Assume that I A B A D B has a 71-model (M, v). Then (M,v) \= I A B A D B , 
so its reduct to n is a model of % and of K B A K, BB A B A Con B A Con^ 5 A I . 
This contradicts the fact that the set of clauses above is unsatisfiable with respect 
to T . Thus, I AB AD B (=7iJ_. □ 



6. A PROCEDURE FOR HIERARCHICAL INTERPOLATION 

We obtain a procedure for computing interpolants for A A B described in Figure HJ 

Lemma 6.1. Assume that the cycle in Step 2 of the procedure described in Figured stops 
after processing all mixed clauses in Ti m \ x and moving their separated form into the set TYsep* 
The following are equivalent: 

(1) A A D A A B A D b ^ Tl ±. 

(2) A AB A (H\H miK ) A H sep K„^. 

Proof. (1)=>(2) is a consequence of Theorems 14.71 and Proposition 15.81 As the conjunction 
in (2) corresponds to a subset of instances of K, A Aq A Da A Bq A Db, (2) implies (1). D 

Note: If /Co A Aq A Bq A Con[D J 4 A D B ]o H^b-L then no matter which terms are chosen 
for separating mixed clauses in Con[L>A A Db]o A /Co, we obtain a separated conjunction of 
clauses unsatisfiable with respect to To. Lemma [6. II shows that if the set of clauses obtained 
when the procedure stops is satisfiable then A A B was satisfiable, and conversely, so the 
procedure can be used to test satisfiability and to compute interpolants at the same time. 
(However, it is more efficient to first test A A B |=^_ _L.) 

Theorem 6.2. Let To be a theory with the following properties: 

Assumption 1: To is convex with respect to the set Pred (including equality 
Assumption 2: To is P-interpolating with respect to a subset P C Pred and the separat- 
ing terms U can be effectively computed; and 
Assumption 3: To has ground interpolation 

(note that we assume, in particular, that Tq satisfies a stronger form of Assumption 2). 
Assume that the extension T\ = To U /C of To has the following properties: 
Assumption 4: 71 is a local extension of To; and 
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Given: Local extension T a C 7[ = T U K, which satisfies Assumptions 1-5; 

Conjunctions A and B of literals over the signature of T\ such that A A B (=ri-L 

Task: Find an interpolant for A A B, i.e. a formula 7 with A I and I A B (=^_L. 
Step 1: Purify. 

Using locality, flattening and purification we obtain a set 77. A Aq A 7?o of formulae in the 
base theory, where TL = /Co A Con[7>A A 7?s]o- 
Let A := T. 

Step 2: Reduction to an interpolation problem in the base theory. 
Repeat as long as possible: 
Let CgH whose premise is entailed by A A B Q A A. 

If C is mixed, compute terms i, which separate the premises in C, and separate 
the clause into an instance C\ of monotonicity and an instance C2 
of a clause in K. as in the proof of Case 2b in Prop. 15.71 
Remove C from 77, and add C\, C2 to 77 5e p and their conclusions to A. 
Otherwise move C to 77 se p and add its conclusion to A. 
Step 3: Interpolation in the base theory. 

Compute an interpolant Iq in 7q for the separated formula Aq A Bq (logically equivalent to 
A A B A (77\77 m ix) A 77 se p) obtained this way. 
Step 4: Construct interpolant for the initial problem. 

Construct an interpolant 7 in T± from Iq by recursively replacing each constant ct introduced 
in the separation process with the term t, as explained in Corollarv l5.9f 2V 



Figure 1: Procedure for hierarchical interpolant computation 

Assumption 5: K, consists of the following type of combinations of clauses: 

f xi R\ si A ■ ■ ■ A x n R n s n -> f(xi, ...,x n ) i? 5(3/1, ...,y n ) 
\ xxRxyi A • • • A x n R n y n -> /(a;i, . . .,x n )Rf(yi, ... ,y n ) 

where n > 1, variables, Ri, . . . , i?^, 7? are binary relations, Ri, . . . , 7? n G T 3 , 

72 is transitive, and each Sj is either a variable among the arguments of g, or a term of 
the form fi{z%, . . . , z^), where fa G Si and all the arguments of fi are variables occurring 
among the arguments of 5 (i.e. combinations of clauses of type \5.1\) ). 
For every conjunction A A B of ground unit clauses in the signature FF of T\ (possibly 
containing additional constants) with A/\B |=Ti-L the procedure for hierarchical interpolation 
terminates and it computes an interpolant I for A A B. 

Proof. To prove termination note that at every execution of the loop in Step 2, the number 
of mixed clauses decreases. All entailment tests in Step 2 are decidable (their complexity 
is discussed separately). By Assumption (2'), terms t{ which separate the premises can be 
computed in finite time. This shows that Step 2 terminates. Termination of Steps 1, 3 and 
4 is immediate. 

We now prove correctness. We know that A A B (=75. -L, so A$ A Da A Bq A Db 1=71-'- 
Hence, by Lemma 16.11 when the cycle in Step 2 of the procedure terminates replacing the 
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set of clauses H m \x with 7i se p, then Aq A Bo A (W\7Y m ix) A 7Y sep [=-37, _L . By construction, at 
termination H\7i m \ x ATC S ep contains only pure (unmixed) clauses. We can use the alternative 
form of H\H mix , denoted before by K, A A K B , as well as of H sep as K$ A A K% B A Con^ A 
Con^. In Step 3 an interpolant Iq containing only constants common to Aq, Bq with 
K A A K$ A A A) A CotiQ 4 A Con^ A ^^/o and /C5 3 A /C^ B A B A Con^ A Con£ s A h*r % ±- 
is computed. In Step 4, a ground IP-formula I containing only constants and function 
symbols which occur both in A and B such that A \=t x I and B A I \=%_ -L is constructed 
starting from / as explained in Corollary 15.91 This is the interpolant of A A B. O 

Complexity: Assume that in 7q for a formula of length n: 

(a) interpolants can be computed in time g(n), 

(b) P-interpolating terms can be computed in time h(n), 

(c) entailment can be checked in time k(n). 

The size n of the set of clauses obtained after the preprocessing phase is quadratic in the 
size of the input. Under the assumptions (a), (b), (c) above the procedure above computes 
an interpolant in time of order n ■ (k(n)+h(n))+g(n). 

Remark 6.3. If Tq satisfies Assumptions 1 and 3 at the beginning of Section 15.21 and is 
strongly P-interpolating, the procedure above can be changed (according to the proof of 
Proposition 15.7( 3)) to separate all clauses in 7i and store the conclusions of the separated 
clauses in A = A^ U Ag. If /Co A Aq A Bq A Con[DA A Db]o\=-j- -i- then there exists a set 
T of So U S c -terms containing only constants common to Aq and Bo, and common new 
constants in a set S c such that the terms in T can be used to separate Con[Z)^ A Db]o U /Co 
into H sep = (K-q A A Cor\Q A ) A (JCq B A Con^), where: 

Wsep = {(AE=l Ci^i cRc f(ti,- ..,*»)) A (AiU URidi -» c f u u ... M )Rd) I 

A?=i Ci-Ri^i cRd € Con U /C } = (Kj? A A Con£ A ) A {K^ B A Con^ s ) 

such that for each premise CiRidi of a rule in ConfZ)^ A Db]o U /Co, at some step in the 
procedure A Bq A Aa A Ab \= CiRidi and there exists U GT such that Aq A Aa (= Cji^tj 
and BoAAb |= URidi. In this case A /C^" 4 A Con^ is logically equivalent to Ao, and 
BqAKq B ACon^ is logically equivalent to i?o, where ^4o, -60 are the following conjunctions 
of literals: 

Aq = Aq A f\{cRcf(T\ I conclusion of some clause (r -» ci?c /( j)) G /C^ A U Con^} 
So = -Bo A /\{cf,f,Rd I conclusion of some clause (r — > Cj^Rd) £ JCq B U Con^ 5 }. 

Thus, if for instance in Tq interpolants for conjunctions of ground literals are always again 
conjunctions of ground literals, the same is also true in the extension. 

Example 6.4. The following theory extensions have ground interpolation: 

(a) Extensions of any theory in Theorem !5.4( l)-(4) with free function symbols. 

(b) Extensions of the theories in Theorem 15.4( 2) . (4) with monotone functions. 

(c) Extensions of the theories in Theorem 15.4( 2) . (4) with Leq (f,g) A Mon(/). 

(d) Extensions of the theories in Theorem 15.4( 2) . (4) with SGc(/, gi) A Mon(/,gi). 

(e) Extensions of any theory in Theorem 15. 4( 1)— (4) with Bound*(/) or GBound*(/) (where 
t is a term and <fi a set of literals in the base theory). 

(f) Extensions of the theories in Theorem 15.4( 2) . (4) with Mon(/) A Bound*(/), if t is mono- 
tone in its variables. 
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(g) MU(Lj), the extension of the theory of reals with a unary function which is A-Lipschitz 
in a point xq, where (Lj) is Vx \f(x) — f{xo)\ < A • |x — xq\. 

Proof, (a)-(d) are direct consequences of Corollary 15.91 since all sets of extension clauses 
are of type (|5.ip . For extensions of linear arithmetic note that due to the totality of < we 
can always assume that A and B are positive, so convexity with respect to ~ is sufficient 
(cf. proof of Proposition I5.7p . Also, in [TT] we show that being P-interpolating with respect 
to < is sufficient in this case, (e)-(g) follow from Corollary 15.91 and the fact that if each 
clause in K, contains only one occurrence of an extension function, no mixed instances can 
be generated when computing K[A A B]. □ 



7. Applications 

7.1. Modular reasoning in local combinations of theories. Let % = To U K4, i = 1, 2 

be local extensions of a theory T with signature n = (S , Pred), where S = Si H X 2 . 
Assume that (a) all variables in /Q occur below some extension function, (b) the extension 
To ^ To U K-i U K-2 is locafl and (c) Tq has ground interpolation. 

Let G be a set of ground clauses in the signature Il c = (So U Si U S2 U S c , Pred). G 
can be flattened and purified, so we assume without loss of generality that G = Gi A G 2 , 
where Gi,G 2 are flat and linear sets of clauses in the signatures III, II2 respectively, i.e. 
for i = 1,2, Gi = G® A Go A Di, where G® and Go are clauses in the base theory and Di 
conjunctions of unit clauses of the form /(ci, . . . , c n ) = c, f G Sj\So- 

Theorem 7.1. With the notations above, assume that G\ AG2 ^TiuT 2 ^- Then there exists 
a ground formula I, containing only constants shared by Gi and G2, with G\ |=TiuT 2 I an d 
I A G 2 \=r 1 uT 2 -L- 

Proof. By Theorem 14. 7} the following are equivalent: 

(1) T U K x U K 2 U (G\ A G A Di) A (G% A G A D 2 ) (=±, 

(2) % U K x [Gi] A K 2 [G 2 ] A (G? A G A D x ) A (G§ A G A D 2 ) \=±, 

(3) K% A K% A (G? A G ) A (G° 2 A G ) A Co ni A Con 2 ^r -L, where, for j = 1, 2, 

n 

Corij = /\{/\ Ci ~ di -> c d | /(ci, . . . ,c n ) ps c, /(dj, • • • , d n ) ~ <i E Dj}, 
i=i 

and is the formula obtained from /Cj[Gj] after purification and flattening, taking into 
account the definitions from D^. Let A = K,\f\(G\/\Go) AConi and B = /C° A(G2AG ) ACon 2 . 
By assumption (a), j4 and i? are both ground. As A and B have no extension function 
symbols in common and only share the constants which G\ and G 2 share, there exists an 
interpolant Iq in the signature LTo, containing only So-function symbols and only constants 
shared by Gi, G 2 , such that A \=t Iq and B A Iq ^r ^- An interpolant for G\ A G 2 with 
respect to T\ can now be obtained by replacing the newly introduced constants by the terms 
they replaced. □ 



'If 7q is a V3 theory then (b) is implied by (a) and the locality of T\ , T2 [16] . 
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By Remark l6,3t if Tq is strongly P-interpolating and has equational interpolation then / is a 
conjunction of literals, so for modularly proving G\ A G2 |=7i-L only conjunctions of ground 
literals containing constants shared by Gi,G2 need to be exchanged between specialized 
provers for 7i and T2 . 

7.2. Terminological Databases. Consider the combination of databases in Section 12.11 
We prove that 

r Q A (Ti A Ti) A (T 2 A T 2 ) Hrl- (7.1) 
where T is the extension SLatU|Jj gRiUR2 Mon(/) of the theory of semilattices with and 
monotone functions corresponding to the roles in R1UR2, where: 

To = {organic A inorganic pa 0, organic < substance, inorganic < substance} 

Ti = {cat-oxydation rs substance A catalyzes(oxydation)} 

Ti = {reaction < oxydation, cat-oxydation < inorganic, cat-oxydation^O}, T2 = {enzyme 56 0} 

T2 = {reaction r* process A produces(substance), enzyme rs organic A catalyzes(reaction)} 

In order to find the mistake we look for an explanation for the inconsistency in the joint 
language of the two databases. Based on results on hierarchical reasoning in extensions of 
theories in [15] we can show that if we purify the problem by introducing definitions for 
the terms starting with an extension role symbol we can reduce the satisfiability test to a 
satisfiability test in the base theory. Thus, (|7.ip is equivalent to the unsatisfiability of a set 
of clauses over the theory of semilattices, namely: Ct A Ct x A Cr 1 A Ct 2 A Cr 2 A A?" where 
and Cr\ are as in the table below (the shared symbols are underlined): 





Extension 


Base 




(Definitions) 


Terminology (Ct) 


Constraints(Cr) 









organic A inorganic R 
organic < substance 
inorganic < substance 


1 


co rs catalyzes(oxydation) 


cat-oxvdation R substance A co 


reaction < oxydation 
cat-oxydation < inorganic 
cat-oxydation 96 


2 


ps R produces(substance) 
cr Ri catalyzes(reaction) 


reaction ri process A ps 
enzyme R organic A cr 


enzyme 56 



The following instances of the congruence or monotonicity axioms need to be considered: 
oxydation > reaction — > cp > cr, where > € {«, <, >}. 



They are not mixed. The conjunction of formulae in the base theory is unsatisfiable in the 
theory of semilattices. It can be split into a part A containing only concepts in AChem 
and a part B containing only concepts in BioChem. An interpolant for A A B in the 
theory of semilattices with is In = substance A cr < inorganic. Thus, / = substance A 
catalyzes(reaction) < inorganic is an interpolant for A A B. This is an explanation for the 
inconsistency of A A B, and may help to find the error more easily than the initial proof 
of unsatisfiability. For this we can, for instance, analyze the (shorter) proofs of A \= I and 
B A I \=-L and note that the constraint reaction < oxydation is used in the proof of A \= I. 
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7.3. Verification. Consider the verification example from Section 12.21 We illustrate our 
method for generating interpolants for a formula corresponding to a path of length 2 from 
an initial state to an unsafe state: 

G = l<L aiarm A I' &\n(l,t' -t) A t'^k(t) A Z'>L alarm A 

I" « in(0Ut(Z',*i - 0>*2 - A t'l ~ #(0 A 4' ~ ^(*0 A < ^overflow 

Hierarchic reasoning. The extension 7i of linear arithmetic with the clauses /C in Section [2] 
is local, so to prove G ^Ti-L it is sufficient to consider ground instances IC[G] in which all 
extension terms already occur in G. After flattening and purifying IC[G] AG, we separate the 
problem into a definition part (Extension) and a base part Go A /Co- By Theorem 14.71 [15 , 
the problem can be reduced to testing the satisfiability in the base theory of the conjunction 
Go A /Co A Cono- As this conjunction is unsatisfiable with respect to Tq, G is unsatisfiable. 



Extension 


Base 


(Definitions) 


Go /Co A Cono 


rwin(Z,ei) 
c\ « out(Z', el) 
/"«in(4,e|) 
t' « k(t) 

t' 2 ' « fc(f ) 


I < Lalarm /Co : I < Lalarm A < &\ < At — » Z' < ^overflow 
Z' > Lalarm C 2 < Lalarm A < e| < At — > Z" < ^overflow 

ei ~ t t Z < L over f| ow A e 2 > 5t ► c 2 < L a \ arm 
e\ m t'{ -t' 0<5t< t'{ - t' < t' 2 ' - 1' < At 
el « t'2 - t' < t' - t < At 
-il" < -^overflow Con : I « c\ A ei « e 2 -> Z' w Z" 



Interpolation. Let ^4 and -B be given by: 

-4 = Z < L a | arm A ei « t' - t A Z' « in(Z, ei) A t' « fc(Z) 

B = 1' > Laiarm A c 2 « out(Z', e 2 ) A Z" « in(c 2 , e 2 ) A e 2 t" - t' A e 2 « t 2 — t' A 
t'l « 5 (t') A t' 2 ' « /l(t') A -.Z" < L overf , ow . 

The set of constants which occur in A is {Z, t, e±, I', t'}. In occur {I', t', c 2 , Z", t'l, t 2 , e 2 , e 2 }. 
The shared constants are I' and t! . To generate an interpolant for A A B, we partition the 
clauses in A A B A /Co A Con = A Q A B A ICq A ICq A Con , where: 

A = l<L 3 \ arm A ei « t' - t 

Bq = I' > L a \ arm A el sa t" — t' A e 2 sa t 2 - t' A -iZ" < ^overflow 

/C5 4 = (Z < L a , arm A < ei < At -> Z' < L ove rfiow) A (0 < t' - t < At) 

^0 = ( c 2 < ^alarm A < e\ < At — > Z" < ^overflow) A (Z' < L OV erflow A e 2 > 5t — > C 2 < Laiarm) 

A (0 < Jt < ti' - t' < t 2 -t' < At) . 

The clause in Cono is mixed. Since already the conjunction of the formulae in Aq A Bo A 
ICq A ICq is unsatisfiable, Con is not needed to prove unsatisfiability. The conjunction of 
the formulae in Aq A Bo A ICq A ICq is equivalent to A' A B'q, where 

A'q = l<L alarm A e x « t' - 1 A (0 < t' - t < At) A I' < L overttow 

B'q = I' > L a \ arm A el w t'l - 1' A e\ « t 2 - t' A (0 < St < t'l - t! < t' 2 ' - t! < At) A 

~~>\" < L over f| ow A -ic 2 < L a | arm A ->l' < L over f| ow . 

The interpolant for A'q A B'q is V < Loverflowi which is also an interpolant for A A B. 
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The abstraction denned in Section \2. 21 can then be refined by introducing another predicate 

L ^ -^overflow 

8. Conclusions 

We presented a method for obtaining simple interpolants in theory extensions. We identified 
situations in which it is possible to do this in a hierarchical manner, by using a prover and a 
procedure for generating interpolants in the base theory as "black-boxes" . This allows us to 
use the properties of Tq (e.g. the form of interpolants) to control the form of interpolants in 
the extension T\. We discussed applications of interpolation in verification and knowledge 
representation. 

The method we presented can be applied to a class of theories which is more general than 
that considered in McMillan [8] (extension of linear rational arithmetic with uninterpreted 
function symbols). Our method is orthogonal to the method for generating interpolants for 
combinations of theories over disjoint signatures from Nelson-Oppen-style unsatisfiability 
proofs proposed by Yorsh and Musuvathi in [19J, as it allows us to consider combinations 
of theories over non-disjoint signatures. 

The hierarchical interpolation method presented here was in particular used for effi- 
ciently computing interpolants in the special case of the extension of linear arithmetic with 
free function symbols in [11]; the algorithm we used in that paper (on which an implemen- 
tation is based) differs a bit from the one presented here in being tuned to the constrained 
based approach used in |llj . The implementation was integrated into the predicate dis- 
covery procedure of the software verification tools Blast [3] and ARMC [10] . First tests 
suggest that the performance of our method is of the same order of magnitude as the meth- 
ods which construct interpolants from proofs, and considerably faster on many examples. In 
addition, our method can handle systems which pose problems to other interpolation-based 
provers: we can handle problems containing both strict and nonstrict inequalities, and it 
allows us to verify examples that require predicates over up to four variables. Details about 
the implementation and benchmarks for the special case of linear arithmetic + free function 
symbols are described in [TT] . 

Although the method we presented here is based on a hierarchical reduction of proof 
tasks in a local extension of a given theory To to proof tasks in 7o, the results presented 
in Section [5] (in particular the separation technique described in Proposition 15. 7p and in 
Section [6] also hold for non-purified formulae (i.e. they also hold if we do not perform the 
step of introducing new constant names CfU\ for the ground terms f(d) which occur in the 
problem or during the separation process). Depending on the properties of Tq, techniques 
for reasoning and interpolant generation in the extension of Tq with free function symbols 
e.g. within state of the art SMT solvers can then be used. We can, therefore, use the results 
in Sections [5] and [6] to extend in a natural way existing methods for interpolant computation 
which take advantage of state of the art SMT technology (cf. e.g. [3]) to the more complex 
types of theory extensions with sets of axioms of type (|5.ip we considered here. 

An immediate application of our method is to verification by abstraction-refinement; 
there are other potential applications (e.g. goal-directed overapproximation for achieving 
faster termination, or automatic invariant generation) which we would like to study. We 
would also like to analyze in more detail the applications to reasoning in complex knowledge 
bases. 
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Appendix A. Amalgamation and interpolation 

There exist results which relate ground interpolation to amalgamation or the injection 
transfer property [51 [2j [18] and thus allow us to recognize many theories with ground 
interpolation. 

If n = (E, Pred) is a signature and A, B are II-structures, we say that: 

• a map h : A B is a homomorphism if it preserves the truth of positive literals, i.e. 
has the property that if /a(g&i, • • • , a n ) = a then /b(^(oi), . . . ,h(a n )) = h(a), and if 
Pa(cli, . . . , a n ) is true then Pe(/i(ai), . . . , h{a n )) is true. 

• a map i : A B is an embedding if it preserves the truth of both positive and negative 
literals, i.e. Pa(cli, . . . , a n ) is true (in A) if and only if Pe(i(ai), . . . , i(a n )) is true (in 
B) for any predicate symbol, including equality. Thus, an embedding is an injective 
homomorphism which also preserves the truth of negative literals. 

Definition A.l. Let H = (X, Pred) be a signature, and let A4 be a class of II-structures. 

(1) We say that M. has the amalgamation -property (AP) if for any A,Bi,B% £ M. and 
any embeddings i\ : A » B\ and %% : A B 2 there exists a structure C S M. and 
embeddings j\ : B\ <^-> C and j 2 : B 2 <— > C such that j\ oi 1 = j 2 o i 2 . 

(2) M. has the injection transfer property (ITP) if for any A,Bi,B 2 € M, any embedding 
i\ : A > Si and any homomorphism /2 : ^4 — > ^2 there exists a structure C G M., a 
homomorphism /i : B\ — * C and an embedding j 2 : B 2 ^ C such that fi°i 1 = j 2 o / 2 . 

Definition A. 2. An equational theory T (in signature II = (S, Pred) where Pred = {~}) 
has the equational interpolation property if whenever 

/\ Aj(a, c) A /\ ^ (c, b) A -.B(c, 6) [=T-1, 

where Aj, i?j and f? are ground atoms, there exists a conjunction /(c) of ground atoms 
containing only the constants c occurring both in /\Ai(a,c) and /\jBj(c,b) A ->B(c,b), 
such that Aj Aj(a, c) |=r /(c) and /(c) A Aj Bj(c,b) \=t B(c,b) 

Theorem A. 3 ( [5j [2J [18] ) . Let T be a universal theory. Then: 

(1) T has ground interpolation if and only if Mod(T) has (AP) [2\. In addition, we can 
guarantee that if (ft is positive then the interpolant of (ft A ip is positive if and only if 
Mod(T) has the injection transfer property [2]. 

(2) If T is an equational theory, then T has the equational interpolation property if and 
only if Mod(T) has the injection transfer property |18| . 

Theorem I A. 31 can be used to prove that many equational theories have ground interpolation: 

Theorem A. 4. The following theories allow ground interpolation^: 
(1) The theory of pure equality (without function symbols). 



In fact, the theories (1) and (4) allow equational interpolation. Similar results were also established for 
(2) in [TT]. 
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(2) Linear rational and real arithmetic. 

(3) The theory of posets. 

(4) The theories of (a) Boolean algebras, (b) semilattices, (c) distributive lattices. 

Proof. (1), (2), (3) are well-known (for (2) we refer for instance to [8] or [IS]). For proving 
(4) we use the fact that if a universal theory has a positive algebraic completion then it has 
the injection transfer property [1J. All theories in (4) are equational theories; by results in 
|18j . for equational theories the injection transfer property is equivalent to the equational 
interpolation property. With these remarks, (4) (a) follows from the fact that any Gaussian 
theory is its own positive algebraic completion pQ, and (4)(b),(c) from the fact that the 
theory of semilattices and that of distributive lattices have a positive algebraic completion 

PQ- □ 

Similarly it can be proved that the equational classes of (abelian) groups and lattices have 
ground interpolation. 



Appendix B. Proof of Theorem 14.61 

Theorem 14.61 We consider the following base theories Tq: 

(1) V (posets), 

(2) TO (totally- ordered sets), 

(3) SLat (semilattices), 

(4) DLat (distributive lattices), 

(5) Bool (Boolean algebras). 

(6) the theory R of reals resp. LI(R) (linear arithmetic overM), or the theory Q of rationals 
resp. LI(Q) (linear arithmetic over (J), or (a subtheory of) the theory of integers (e.g. 
Presburger arithmetic). 

The following theory extensions are local: 

(a) Extensions of any theory Tq for which < is reflexive with functions satisfying bounded- 
ness (Bound'(/)) or guarded boundedness (GBound*(/)) conditions 

(Bound'(/)) Vxi, . . . , x n (f(xi, ...,x n )< t(x\, x n )) 
(GBound'(/)) Vxi, . . . , x n ((f>(xi, . . . , x n ) — > f(xi, ... ,x n ) < t{x\, ... , x n )), 
where t(x\, . . . , x n ) is a term in the base signature Hq and 4>{x\, . . . , x n ) a conjunction 
of literals in the signature Ho, whose variables are in {x±, . . . , x n }. 

(b) Extensions of any theory T in (l)-(6) with Mon(/) A Bound*(/) ; if t( 

term in the base signature Ho in the variables x±,...,x n such that for every model of 
Tq the associated function is monotone in the variables x±, . . . ,x n . 

(c) Extensions of any theory in (1)~(6) with functions satisfying Leq(/,g) A Mon(/). 

(Leq(/,sO) Vx i> • • -, x n(Ai=i x i <Vi^ /Oi,. • • ,x n ) < g(y x , . . .,y n )) 

(d) Extensions of any totally- ordered theory above (i.e. (2) and (6)) with functions satisfying 
SGc(/, c/i, . . . ,g n ) A Mon(/,5fi, . . .,g n ). 

(SGc(/,c/i, . . .,£/„)) Vxi, . . .,x n ,x(f^ =1 Xi < gi{x) -» f(x 1} ...,x n )<x) 

(e) Extensions of any theory in (l)-(3) with functions satisfying SGc(f,gi) A Mon(/, g±). 
All the extensions above satisfy condition (Loc f ). 
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Proof. In what follows we will denote by Ho the signature of the base theory Tq, and with 
Si the extension functions, namely / for cases (a) and (b), /, g for case (c), f,gi, ■ ■ ■ ,g n for 
case (d) and /, g± for case (e) . 

(a) Let (P, fp) be a partial II-structure which weakly satisfies Bound*(/), such that P G 
Mod(7o) and fp : P n — > P is partial. Let A = (P, /a) be a total II-structure with the same 
support as P, where: 

fp(xi, ...,x n ) if fp(xi, ...,x n ) defined 



fj- _ \ _ / fp(?l, if/p(xi,.. 
/A^i, . . . ,x n j - | ^ ^ otherwise . 



Then A satisfies Bound*(/). Let i : (P, fp) — > (A, /a) be the identity. Obviously, z is a 
LTo-isomorphism; and if fp{x\, ■ ■ ■ , x n ) is defined then i(fp(x\, . . . , x n )) = fp(xi, . . . , x n ) = 
fA(xi, • • • , cc n )- Similar arguments also apply to GBound*(/). 

(b) Let (P, fp) be a partial II-structure which weakly satisfies Bound*(/) A Mon, such that 
P G Mod(To) and / P : P n -> P is partial. In cases (l)-(3) let A = (Ol(P)J), where 
OT(P) is the family of all order ideals of P, and 

fA(U±, ...,U n ) = i{/p(tii, ... I iij € C/j, /p(wi, ...,u n ) defined}. 

/a is clearly monotone. Let z G fA(U\, ■ ■ ■ , t/ n )- Then z < fp{u\, . . . , u„) for some Uj G C/j 
with /p(m, . . . , u n ) defined. As P (= w Bound*(/), fp{u\, . . . , u n ) < . . . , u n ). Therefore 
z G . . . , U n ). The map z : (P, /p) — ► (A, /a) defined by =| p is a weak embedding. 

Since DLat and Bool are locally finite, results in [15] show that in (4) and (5) it is 
sufficient to assume that P is finite. Let A = (P, /a), where 

/a(sci, • •• ,x n ) = \J{fp{ui,. . . ,u n ) | Ui < Xi,f P (ui,. ..,u n ) defined}. 

fA is clearly monotone. We prove that it also satisfies the boundedness condition, i.e. 
that for all xi,...,x n , /a(^i, • • -x n ) < t(xi, . . . ,x n ). By definition, f A (xi,...,x n ) = 
\J {fp(u\, . . . ,u n ) | Ui < Xi, fp{u\, . . . , u n ) defined}. As P \= w Bound'(/) and t is mono- 
tone, we know that fp{u\, . . . ,u n ) < t{u\,...,u n ) < t(xi, . . . ,x n ) for all U{ < X{ with 
fp(u\, . . . , u n ) defined. Therefore, 

f A (xi, ...,x n ) = \/{/p(«i, ■ .-,u n ) | Ui < Xi,f P (ui,. ..,u n ) defined} < t(x\, . . .,x n ). 

That the identity i is a weak embedding can be proved as before. 

(c) The proof is very similar to the proof of (b). We first discuss the case (l)-(3). Let 
(P, fp, gp) be a weak partial model of 71. Let A = (OI(P), /a, 5a), where /a is defined as 
in (b). We define g(U u ...,U n ) by 

, M _ J | gp(x 1 , . . . ,x n ) if Ui =1 Xi and gp(x 1} ... ,x n ) defined 

9A[Uu ■■■>"») ~\ f A (u u ...,U n ) otherwise. 

Assume that U\ C V\, ... ,U n C V n , and let z G /a(^1j • • • j fn)- Then z < fp[u\, . . . , u n ) for 
some Mj G U C V£ with fp{u\, . . . , u n ) defined. If = j and gp(x±, . . . , x n ) defined, then 
iij < Xj so, as P |=«, Leq(/, <?), we know that fp{u\, . . . ,u n ) < gp(x\, . . . ,x n ). It therefore 
follows that in this case z G igp(x±, . . . , x n ) = g A {Vi, ■ ■ ■ , V n ). Otherwise, g A (Vi, ■■■ > Vn) = 
f A (V u V n ), hence f A {U u ...,U n )C g A (V u V n ). 
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For the cases (4) and (5) we again use the criterion in [15] and Theorem 14.51 Let 
(P,fp,gp) be a weak partial model of T\. Let ao G P be such that oo > fp(pi, ■ ■ ■ ,p n ) 
whenever fp(pi, ■ ■ ■ ,p n ) is defined. We define A = (P, f A , 9a) as follows: 



/ is obviously monotone. In order to prove that the second condition holds, we analyze 
two cases. Assume first that gp{y\, . . . ,y n ) is undefined. Then g A {y\, ■ ■ ■ , Un) = °o > 
fp(ui, . . . ,u n ) for all Ui < x,- t with f P (ui, . . . ,u n ) defined, thus, g A (yi, ■ ■ ■ , Vn) = a > 
V{/p(ni, . . . ,u n ) | Ui < Xi,fp(ux,...,u n ) defined } = f A (xi, . . . ,x n ). If g P (yi, ... ,y n ) is 
defined, then for all Ui < X{ with fp{u\, . . . , u n ) we also have Uj < yi, so fp(u±, . . . , u n ) < 
9p(yi, ■ ■ ■ ,Vn) = 9A(yi, ■ ■ -,y n )- Again, it follows that g A (yi, . . . ,y n ) < /a(xi, ■ ■ -,x n ). 

(d) Let To be the theory of totally ordered sets. Assume that (P, fp, (gp)) is a totally ordered 
weak partial model of SGc(/, g x , . . . , g n ) A Mon(f,g 1 ,...,g n ). Let A = (Ol(X), f A , (g l A )), 
where f A and g\ are extensions of fp,gp defined as in the proof of (b). f A , g A , . . . , g\ are 
obviously monotone. We prove that the condition SGc(f,gi,...,g n ) holds in A. Assume 
that Ui C g A (V) for i = l,...,n, and let x G f A (Ui, . . . ,U n ). Then there exist U{ € 
Ui = g A (Yi) such that f(u\, . . . ,u n ) is defined and x < f(ui, . . . , u n ). As Ui G g A (V), 
there exist V{ € V such that g l P (vi) is defined and Ui < gpiyi). Let v = max^i, . . . ,v n ). 
Then Uj < gp{v). Hence fp(ui, . . . ,u n ) < v G V. Therefore, x < fp(u\, . . . ,u n ) G V so 
x G V. Let i : P — > ^4 defined by =| p. To show that it is a weak embedding we only 
have to show that if gp(x\, . . . , x n ) is defined then i(gp(xi, . . . , x n )) = [gp(xi, . . . , x n ) = 
3a(I^i, • • • j [x n )- This is true by the definition of g A . 

(e) Assume that % is the theory of semilattices. The construction in (d) can be applied to 
this case without problems. The proof is similar to that of (d) with the difference that if 
n = 1 we only have one element V\ so we do not need to compute a maximum (which for 
n > 2 may not exist if the order is not total) . 

The proof of the fact that the remaining theories satisfy (Loc f ) is based on the criterion 
of finite locality given in Theorem 14.51 The constructions and the proofs are similar to 
those in the proof of (b) resp. (c) for the cases (4) and (5). Due to the fact that we 
assumed that the definition domain of the extension functions is finite \/{fp(ui, . . . , u n ) \ 
Ui < Xi, fp(u\, . . . , u n ) defined} is a finite join, and thus exists (if / is nowhere defined it is 
sufficient to define it as being everywhere equal to t in case (b) or to g A in case (c)). The 
fact that the definition domains are finite also ensures that in the proof of (c) an element 
ao (chosen in the definition of g A ) with the desired properties always exists. □ 



Theorem 15.41 The following theories have ground interpolation and are convex and P- 
interpolating with respect to the indicated set P of predicate symbols: 

(1) The theory of EQ of pure equality without function symbols (for P = 

(2) The theory PoSet of po sets (for P = {«, <}/ 




x n ) if 9p(xi, ■ ■ ■ , x n ) defined 
otherwise 



Ia(xi 



) = \J{fp(u 1 ,... 



u n ) | Ui < Xi, fp{ui, ... ,u n ) defined} . 
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(3) Linear rational arithmetic LI(Q) and linear real arithmetic LI(M) (convex with respect 
to P = {~}, strongly P -interpolating for P = {<})■ 

(4) The theories Bool of Boolean algebras, SLat of semilattices and DLat of distributive 
lattices (strongly P -interpolating for P = {~, <})■ 

Proof. Note first that if a partially-ordered theory is interpolating for < it is also for ~. 
Assume that A AB \=q- a b. Then A AB (=7- a < b and AAB \=t b < a, hence there exist 
terms t\, t 2 containing only common constants of A and B such that AAB \= a <t\At\ <b 
and A A B (= 6 < t 2 A t 2 < a. It follows that A A B (= ii ps t 2 , A A B (= a « fj A ti w 6. 
(1) and (2): convexity is obvious; the property of being P-interpolating can be proved by 
induction on the structure of proofs. (3) is known (cf. e.g. [H]). A method for computing 
interpolating terms for LI(R) and LI(Q) is presented in 

(4) This is a constructive proof based on ideas from [12\ \13\ . The results presented there 
show, as an easy particular case, that one can reduce the problem of checking the satisfia- 
bility of a conjunction T of unit clauses with respect to one of the theories above to checking 
the satisfiability of a conjunction Renp A Pr A Np obtained by introducing a propositional 
variable P e for each subterm e occurring in T, a set of renaming rules of the form 

Pa op e 2 ^ Pei °P Pe 2 °P binary Boolean operation 

P^ e <-> —>P e in the case of Bool, 

and translations of the positive resp. negative part of T: 

P s <-> P s > s w s € r 

^{p s «-» p s >) s 96 s' e r. 

(a) The convexity of the theory of Boolean algebras with respect to ~ follows from the fact 
that this is an equational class; convexity with respect to < follows from the fact that x < y 
if and only if x A y ~ x. We prove that the theory of Boolean algebras is <-interpolating, 
i.e. that if A and B are two conjunctions of literals and A A B (=Bool a < b, where a is a 
constant occurring in A and not in B and b a constant occurring in B and not in A, then 
there exists a term containing only common constants in A and B such that A |=Bool a < t 
and B \=Boo\ t < b. We can assume without loss of generality that A and B consist 
only of atoms (otherwise one moves the negative literals to the right and uses convexity). 
A A B |=Booi a < b if and only if the following conjunction of literals in propositional logic 
is unsatisfiable: 



(Ren(A)) 


Pe 1 Ae 2 


<— > 


P ei A P e2 


Pg\/\gi 


*r- > 


Pgi A -fg 2 




(Ren(V)) 


-feiVe 2 


«— > 


P £l V P e2 


PgiVgi 


■<— > 


Pgx VP 02 




(RenH) 


P^e 


<— > 


-Pe 


P-g 


<— > 






(P) 


Pe, 


<— > 


P e2 ei » e 2 G A 


Pg, 


<— > 




€ 5 


(N) 




Pa 














for all 


e, ei, 


e2 subterms in A 


for all g. 




g2 subterms in 


I? 



We obtain an unsatisfiable set of clauses (Na A P a ) A (Ng A ->Pb) (=-L. Propositional logic 
allows interpolation, so there exists an interpolant I = /(P ei , ■ • • , Pe n ), which is a Boolean 
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combination (say in CNF) of the common propositional variables occurring in Na and Nb 
such that 

{N A A P a ) \= I and (N B A -P 6 ) M \=± . 
But then A \=Boo\ a < f{e 1 , ... ,e n ) and B ^ Boo i /(ei, ■ ■■ ,e n ) <b. 

(4)(b) The proof is similar to that of (4) (a) with the difference that in the renaming rules 
in the structure-preserving translation to clause form only the conjunction rules apply, 
hence Na and Nb are sets of non-negative Horn clauses. We can saturate Na U P a under 
resolution with selection on the negative literals in linear time. The saturated set N^ of 
clauses contains all unit clauses P e where e is subterm of A with A |=si_at a < e. Only unit 
positive clauses P e where e occurs in both A and B can enter into resolution inferences with 
clauses in Nb U -iF), and lead to a contradiction. Thus we proved that 

/\{Pe | A- NsLat a < e,e common subterm} A Nb A -1P5 (=_L . 

This is equivalent to B |=si_at t < b, where 

t = /\{e I A |=sLat a < e,e common subterm of A and B} . 

Obviously, A ^si_ a t a <t. 

(4) (c) The case of distributive lattices can be treated similarly. Due to the fact that in this 
case the renaming rules for V and A are taken into account, the sets Na and Nb are not 
Horn. We adopt the same negative selection strategy. When saturating Na U P a a finite 
set of positive clauses is generated, namely of the form P ei V • • • V P en where A \=dl o < 
(ei V • • • Ve„). We consider a total ordering on the propositional variables where P e is larger 
than P g if e occurs in A and not in B and g occurs in both A and in B. Then the only 
inferences which can lead to a contradiction with Nb U ^Pb are those between the clauses 
in N^ which only contain common propositional variables. Thus we proved that 

f\{\f Pei I A- Ndl cl <\J ei, ei common terms} A Nb A . 

This is equivalent to B \=dl t <b, where t = /\{V e « I ^ Ndl a <\f ei, where all are 
common subterms of A and B}. Obviously, A \=d\_ a <t. □ 
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